Wednesday Tidbit: PowerShell’s Import-PFXCertificate Removes the Private Key

I’ve been working on a complex automation solution recently in lab, and one task was to import a certificate to be used by VMware Horizon.

Those familiar with Horizon will know that any certificate used will need to have its corresponding private key which will also need to be exportable. The certificate also needs to have a friendly name of “vdm”.

My face when I figured out what was happening

All of the above is perfectly achievable in PowerShell, which is my chosen scripting language of choice for this task.

It appears that when my script was run as LocalSystem, the certificate and key were successfully imported – but the private key was immediately deleted. Anyone viewing the certificate in the Certificates MMC snapin would be blissfully unaware of this “feature”:

Yup… all good here!

However, post-script I began to notice problems. Some Horizon services would start but not all of them. The HTML and Flex admin pages became unavailable, complaining about protocol errors.

The Solution

To get around this I modified my script so that PowerShell used the certutil command instead of Import-PFXCertificate.

To successfully import the certificate and key, and set the friendly name, I use the following:

# Install the certificate
certutil -f p $certPass ImportPfx $cert
# Retrieve the certificate details
Set-Location Path cert:\LocalMachine\My
$myCert = Get-ChildItem | Where-Object { $_.Subject -match "\*" }
# Configure friendly name for Horizon
$tp = $myCert.Thumbprint
(Get-ChildItem Path Cert:\LocalMachine\My\$tp).FriendlyName = "vdm"

view raw
hosted with ❤ by GitHub

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.